Bug 1457301 - Crash in mozilla::ipc::ProcessLink::SendMessage | IPC_Message_Name=PBrowser::Msg_AsyncMessage. r=mccr8.

Add back code to block big messages in DispatchAsyncMessage that wasn't added to the codepath used by the WebIDL bindings. Also remove the non-WebIDL version of DispatchAsyncMessage, as it's now unused. --HG-- extra : rebase_source : ec7e5663683c98de4275ce05d6ada2f175dcb355
2024-10-18 07:45:30 +00:00 · 2018-05-16 22:29:37 +02:00 · 2018-05-16 22:29:37 +02:00 · 0e48ffc2b4
commit 0e48ffc2b4
parent caba9f10be
2 changed files with 16 additions and 46 deletions
--- a/dom/base/nsFrameMessageManager.cpp
+++ b/dom/base/nsFrameMessageManager.cpp
@ -558,11 +558,6 @@ nsFrameMessageManager::SendMessage(JSContext* aCx,
  NS_ASSERTION(!GetParentManager(),
               "Should not have parent manager in content!");

-  if (!AllowMessage(aData.DataLength(), aMessageName)) {
-    aError.Throw(NS_ERROR_FAILURE);
-    return;
-  }
-
 #ifdef FUZZING
  if (aData.DataLength() > 0) {
    MessageManagerFuzzer::TryMutate(
@ -573,6 +568,11 @@ nsFrameMessageManager::SendMessage(JSContext* aCx,
  }
 #endif

+  if (!AllowMessage(aData.DataLength(), aMessageName)) {
+    aError.Throw(NS_ERROR_FAILURE);
+    return;
+  }
+
  if (!mCallback) {
    aError.Throw(NS_ERROR_NOT_INITIALIZED);
    return;
@ -643,39 +643,6 @@ nsFrameMessageManager::DispatchAsyncMessageInternal(JSContext* aCx,
  return NS_OK;
 }

-nsresult
-nsFrameMessageManager::DispatchAsyncMessage(const nsAString& aMessageName,
-                                            const JS::Value& aJSON,
-                                            const JS::Value& aObjects,
-                                            nsIPrincipal* aPrincipal,
-                                            const JS::Value& aTransfers,
-                                            JSContext* aCx,
-                                            uint8_t aArgc)
-{
-  StructuredCloneData data;
-  if (aArgc >= 2 && !GetParamsForMessage(aCx, aJSON, aTransfers, data)) {
-    return NS_ERROR_DOM_DATA_CLONE_ERR;
-  }
-
-#ifdef FUZZING
-  if (data.DataLength()) {
-    MessageManagerFuzzer::TryMutate(aCx, aMessageName, &data, aTransfers);
-  }
-#endif
-
-  if (!AllowMessage(data.DataLength(), aMessageName)) {
-    return NS_ERROR_FAILURE;
-  }
-
-  JS::Rooted<JSObject*> objects(aCx);
-  if (aArgc >= 3 && aObjects.isObject()) {
-    objects = &aObjects.toObject();
-  }
-
-  return DispatchAsyncMessageInternal(aCx, aMessageName, data, objects,
-                                      aPrincipal);
-}
-
 void
 nsFrameMessageManager::DispatchAsyncMessage(JSContext* aCx,
                                            const nsAString& aMessageName,
@ -691,6 +658,17 @@ nsFrameMessageManager::DispatchAsyncMessage(JSContext* aCx,
    return;
  }

+#ifdef FUZZING
+  if (data.DataLength()) {
+    MessageManagerFuzzer::TryMutate(aCx, aMessageName, &data, aTransfers);
+  }
+#endif
+
+  if (!AllowMessage(data.DataLength(), aMessageName)) {
+    aError.Throw(NS_ERROR_FAILURE);
+    return;
+  }
+
  aError = DispatchAsyncMessageInternal(aCx, aMessageName, data, aObjects,
                                        aPrincipal);
 }
--- a/dom/base/nsFrameMessageManager.h
+++ b/dom/base/nsFrameMessageManager.h
@ -256,14 +256,6 @@ public:
    return mCallback;
  }

-  nsresult DispatchAsyncMessage(const nsAString& aMessageName,
-                                const JS::Value& aJSON,
-                                const JS::Value& aObjects,
-                                nsIPrincipal* aPrincipal,
-                                const JS::Value& aTransfers,
-                                JSContext* aCx,
-                                uint8_t aArgc);
-
  nsresult DispatchAsyncMessageInternal(JSContext* aCx,
                                        const nsAString& aMessage,
                                        StructuredCloneData& aData,